第三十五课:与Sqlmap结合攻击
msf 在非 session 模式下与 session 模式下都支持第三方的加载与第三方框架的融合。代表参数为 load。两种模式下的 load 意义不同。本季主要针对非 session 模式下的 load sqlmap情景。

加载Sqlmap后,主要参数如下:

1
Sqlmap Commands
2
===============
3
4
Command Description
5
6
‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐
7
sqlmap_connect sqlmap_connect <host> [<port>]
8
sqlmap_get_data Get the resulting data of the task
9
sqlmap_get_log Get the running log of a task
10
sqlmap_get_option Get an option for a task
11
sqlmap_get_status Get the status of a task
12
sqlmap_list_tasks List the knows tasks. New tasks are not stored in DB,so lives as long as the console does
13
sqlmap_new_task Create a new task
14
sqlmap_save_data Save the resulting data as web_vulns
15
sqlmap_set_option Set an option for a task
16
sqlmap_start_task Start the task
17
msf exploit(multi/handler) > help sqlmap
Copied!
help 加载的模块名,为显示第三方的帮助文档。
msf 上的 sqlmap 插件依赖于 sqlmap 的 sqlmapapi.py 在使用前需要启动sqlmapapi.py
然后在msf上建立任务。
而 sqlmap 对 msf 也完美支持。
靶机: 192.168.1.115,Sql server 2005 + aspx.net
构造注入点,如图1:
图1:
数据结构,如图2:
关于msf与sqlmap的结合在未来的系列中还会继续讲述,本季作为基础。

附录:

注入点代码:
1
<%@ Page Language="C#" AutoEventWireup="true" %>
2
<%@ Import Namespace="System.Data" %>
3
<%@ Import namespace="System.Data.SqlClient" %>
4
<!DOCTYPE html>
5
<script runat="server">
6
private DataSet resSet=new DataSet();
7
protected void Page_Load(object sender, EventArgs e)
8
{
9
String strconn = "server=.;database=xxrenshi;uid=sa;pwd=123456";
10
string id = Request.Params["id"];
11
//string sql = string.Format("select * from admin where id={0}", id);
12
string sql = "select * from sys_user where id=" + id;
13
SqlConnection connection=new SqlConnection(strconn);
14
connection.Open();
15
SqlDataAdapter dataAdapter = new SqlDataAdapter(sql, connection);
16
dataAdapter.Fill(resSet);
17
DgData.DataSource = resSet.Tables[0];
18
DgData.DataBind();
19
Response.Write("sql:<br>"+sql);
20
Response.Write("<br>Result:");
21
}
22
23
</script>
24
25
<html xmlns="http://www.w3.org/1999/xhtml">
26
<head runat="server">
27
<meta http‐equiv="Content‐Type" content="text/html; charset=utf‐8"/>
28
<title></title>
29
</head>
30
<body>
31
<form id="form1" runat="server">
32
<div>
33
34
<asp:DataGrid ID="DgData" runat="server" BackColor="White" BorderColor="#3366CC"
35
BorderStyle="None" BorderWidth="1px" CellPadding="4"
36
HeaderStyle‐CssClass="head" Width="203px">
37
<FooterStyle BackColor="#99CCCC" ForeColor="#003399" />
38
<SelectedItemStyle BackColor="#009999" Font‐Bold="True" ForeColor="#CCFF99" />
39
<PagerStyle BackColor="#99CCCC" ForeColor="#003399" HorizontalAlign="Left" Mode="NumericPages" />
40
41
<ItemStyle BackColor="White" ForeColor="#003399" />
42
43
<HeaderStyle CssClass="head" BackColor="#003399" Font‐Bold="True" Fore
44
Color="#CCCCFF"></HeaderStyle>
45
</asp:DataGrid>
46
47
</div>
48
</form>
49
</body>
50
</html>
Copied!
Micropoor
Last modified 2yr ago